[RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM
Roberto Sassu
roberto.sassu at huaweicloud.com
Thu Dec 19 15:40:32 UTC 2024
On Wed, 2024-12-18 at 17:07 +0000, Song Liu wrote:
> Hi Mimi,
>
> Thanks for your comments!
>
> > On Dec 18, 2024, at 3:02 AM, Mimi Zohar <zohar at linux.ibm.com> wrote:
> >
> > On Tue, 2024-12-17 at 13:29 -0800, Casey Schaufler wrote:
> > > On 12/17/2024 12:25 PM, Song Liu wrote:
> > > > While reading and testing LSM code, I found IMA/EVM consume per inode
> > > > storage even when they are not in use. Add options to diable them in
> > > > kernel command line. The logic and syntax is mostly borrowed from an
> > > > old serious [1].
> > >
> > > Why not omit ima and evm from the lsm= parameter?
> >
> > Casey, Paul, always enabling IMA & EVM as the last LSMs, if configured, were the
> > conditions for making IMA and EVM LSMs. Up to that point, only when an inode
> > was in policy did it consume any memory (rbtree). I'm pretty sure you remember
> > the rather heated discussion(s).
>
> I didn't know about this history until today. I apologize if this
> RFC/PATCH is moving to the direction against the original agreement.
> I didn't mean to break any agreement.
>
> My motivation is actually the per inode memory consumption of IMA
> and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to
> each inode via i_security. IMA is better on memory consumption, as
> it only adds a pointer to i_security.
>
> It appears to me that a way to disable IMA and EVM at boot time can
> be useful, especially for distro kernels. But I guess there are
> reasons to not allow this (thus the earlier agreement). Could you
> please share your thoughts on this?
Hi Song
IMA/EVM cannot be always disabled for two reasons: (1) for secure and
trusted boot, IMA is expected to enforce architecture-specific
policies; (2) accidentally disabling them will cause modified files to
be rejected when IMA/EVM are turned on again.
If the requirements above are met, we are fine on disabling IMA/EVM.
As for reserving space in the inode security blob, please refer to this
discussion, where we reached the agreement:
https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/
Thanks
Roberto
More information about the Linux-security-module-archive
mailing list